[HN Gopher] Apple alerts users in 92 nations to mercenary spywar...
___________________________________________________________________
Apple alerts users in 92 nations to mercenary spyware attacks
Author : alwillis
Score : 343 points
Date : 2024-04-11 15:06 UTC (7 hours ago)
(HTM) web link (techcrunch.com)
(TXT) w3m dump (techcrunch.com)
| blakesterz wrote:
| If I got a message that said: "Apple detected
| that you are being targeted by a mercenary spyware attack that is
| trying to remotely compromise the iPhone associated with your
| Apple ID -xxx-," it wrote in the warning to affected customers."
|
| I would assume it's fake, part of some phishing scam. How can we
| know something like this is real? I'd be even more likely to
| think it's fake if it looks different than all the other messages
| I get.
|
| Edited to add: As a comment below pointed out if you "sign in to
| appleid.apple.com" it'll confirm, which even I would trust!
| Thanks to quitit for pointing that out.
| speedgoose wrote:
| But if the phishing scam manages to display such a message in a
| different way on your phone, you can't trust the phone anymore
| as it has likely been hacked.
| __jonas wrote:
| On the Apple Support page here:
|
| https://support.apple.com/en-in/102174
|
| In the screenshot it says the threat notification was sent
| "via email and iMessage", so it would not be displayed in any
| different way on your phone, which I also find surprising. I
| definitely wouldn't expect to receive something like this as
| an Email, and I have turned off iMessage.
| the_mar wrote:
| Just out of curiosity why would you have imessage turned
| off?
| w0m wrote:
| Unless things have changed since I last looked, if those
| you talk to aren't also on iMessage, it feels like a net
| negative to use as you get inconsistent/negative behavior
| between contacts. From that end, it becomes sort of a
| moral issue with the clearly arbitrarily locked gates and
| poor experiences. So you disable and use a non-malicious
| and cross platform solution.
| rootusrootus wrote:
| Apple is malicious, but Facebook is totally okay?
| sneak wrote:
| iMessage histories are backed up in the nightly automatic
| non-e2ee iCloud Backup, effectively backdooring
| iMessage's "end to end encryption" by escrowing the
| plaintext to a not-endpoint.
|
| Apple can read approximately everyone's iMessages out of
| their backups. It's not private or secure, and claiming
| it is end to end encrypted is misleading almost to the
| point of being actually false.
| ZekeSulastin wrote:
| Albeit recent and optional, isn't that a hole
| specifically fixed by the Advanced Data Protection
| option[0]? Granted, it doesn't do much if your recipients
| don't also have it enabled.
|
| 0: https://support.apple.com/en-us/102651
| jackson1442 wrote:
| This is the same behavior as SMS if you have enabled
| "Messages backup." If backup is not enabled you will not
| have a copy of iMessages stored in iCloud (though all
| compatible and configured devices will still receive
| messages).
|
| This can be changed by opting in to the e2ee iCloud data
| service "Advanced Data Protection."
| sneak wrote:
| Nope. Even opting into ADP, your iMessage conversations
| will still be backed up to Apple without e2ee - just from
| the non-ADP phones of all the people you iMessage with
| instead of your own phone.
|
| iMessages are backed up in duplicate - once on the sender
| and once on the receiver. You can only control e2ee for
| half of it, so your conversations are still under
| surveillance unless everyone you message with has also
| turned on ADP.
| astrange wrote:
| That has nothing to do with turning it on or off since
| the same happens with SMS.
| Vicinity9635 wrote:
| Still a step above SMS.
| vinay_ys wrote:
| iMessage has been one of the most successful delivery
| vector for these spyware attacks.
|
| So, if you think you are a likely target of a state
| sponsored attack, best thing you can do on an Apple
| device is to turn on lockdown mode, turn off iCloud and
| iMessage, stop using keychain, use only a yubikey for all
| authentication, and restrict yourself to a limited number
| of essential apps on your primary device and use a
| dedicated burner device for all your throwaway browsing
| and communications, and erase/reset that device after
| every session. And still, assume everything you say and
| do online is fully compromised, because there are always
| system vulnerabilities that haven't been made known yet
| ('zero-day' attacks) and are being used to compromise
| highly targeted individuals. In the end, it is a very
| convoluted cat and mouse game.
| draugadrotten wrote:
| > assume everything you say and do online is fully
| compromised
|
| This is the way.
| nprateem wrote:
| So it's not just me :-D
| 1oooqooq wrote:
| *tinfoil hat on
|
| imessage and rcs (and arguably mms, although that started
| as cost cutting) are backdoors for the legal protections
| on mining telephony provider metadata for marketing. with
| those two "opt in" (lol) techs, all safeguards are off.
| __jonas wrote:
| I'm in Europe, I haven't encountered anyone in my life
| who has used iMessage (everyone uses WhatsApp, now also
| Telegram/Signal), so I don't really have a use for it,
| when I wanted to try the weird AR emoji / heartbeat
| reaction message things with my partner we noticed we
| both had iMessage turned off, I guess it's like a setting
| that maybe we skipped during the phone setup? Not sure if
| it's on by default for some people.
| plufz wrote:
| Where in Europe is that? Surprising to me (Swedish).
| __jonas wrote:
| I've lived in Germany and the UK, I guess I wrongly
| assumed it was like this everywhere in Europe. Might also
| be related to the social environment.
|
| I am noticing, the social circle I am currently in has
| now largely moved to Telegram, whereas in other places
| it's 100% WhatsApp.
| unicon wrote:
| I heard it should show as a badge/banner on top of your iCloud
| Web Panel in the browser.
|
| Edit: on top of the message you get
| c0t300 wrote:
| at the end it says that you can check the validity by signing
| in to icloud, there an alert banner is shown
| quitit wrote:
| > How can we know something like this is real?
|
| From apple's website:
|
| "To verify that an Apple threat notification is genuine, sign
| in to appleid.apple.com. If Apple sent you a threat
| notification, it will be clearly visible at the top of the page
| after you sign in."
|
| https://support.apple.com/en-lamr/102174
| grecy wrote:
| As long as it doesn't have any links to click or try to force
| you to login to something, it just sounds like information to
| me.
|
| If my bank sent me something about Credit Card fraud I would be
| very skeptical if it had a big "CLICK HERE TO LOGIN" type of
| thing.
|
| But if it was just info, and maybe ended with "Contact your
| local branch to learn more", but no links, no phone numbers,
| etc. I would be less skeptical.
| jayrot wrote:
| This is, I think, a valuable heuristic. Anything but the most
| complex and long-term scam always includes some call to
| action, nearly always URGENT and IMMEDIATE (so as not to give
| you a chance to think about it or research it).
|
| A notification that is ONLY a notification about something is
| very unlikely to be malicious (though could certainly be
| erroneous). My bank will send me a concerning email or SMS
| about suspicious activity that needs to be reviewed or
| confirmed, but because they know it's a vector for attack
| their specifically ask you to call them at their published
| number listed on your card.
| world2vec wrote:
| Doesn't say which 92 nations tho.
| scoot wrote:
| I thought it odd that the end-user message mentioned it at all.
| Compared to last years message it strays into editorial
| content.
| Vicinity9635 wrote:
| opsec
| bee_rider wrote:
| There's a reddit thread by somebody who got one of these:
|
| https://old.reddit.com/r/iphone/comments/1c10jai/i_have_rece...
|
| The interesting thing IMO is they claim to just be some random
| college student. Which seems believable because if they were a
| real secret squirrel I guess they wouldn't ask reddit about it,
| haha.
|
| I wonder if the hackers are targeting people based on phone
| numbers or something. (I could imagine a college student recently
| getting a new number and ending up with one that'd been
| associated with a target--I guess? Although you'd hope there'd be
| a way to retire numbers that are known to be targets).
| Despegar wrote:
| Well the they might be just a college student, but they could
| have a relationship with the actual target in some way. And if
| it's part of a complex operation they could be trying some
| indirect approaches.
| passion__desire wrote:
| Or maybe have a bigger blast radius so that it is difficult
| to know the exact targets. Drown the detection algos in the
| noise.
| ethbr1 wrote:
| Exactly. If you're identifying targets by noisy proxy
| signals (geo/IP + behavior?) then you're going to have non-
| zero false positives.
| alwillis wrote:
| > Well the they might be just a college student, but they
| could have a relationship with the actual target in some way.
|
| People who are "just" college students often are the sons and
| daughters of people who could be targeted. Not to mention
| people in their social circles.
| t-sauer wrote:
| That person already got targeted last summer. I doubt they are
| as uninteresting as they believe/claim to be.
| josefresco wrote:
| It doesn't take much to be a target. CIA spy maybe not, but
| the net is wide when it comes to surveillance. Infrastructure
| providers, higher education, research labs are all common
| targets.
| duxup wrote:
| >It doesn't take much to be a target.
|
| I wonder how to quantify this. Even folks in those
| industries listed while there may be reason we could
| imagine to target them... I would imagine lots of folks in
| those same industries are NOT targeted.
|
| Of course we'd have to identify "targeted", personally I
| wouldn't include "your name ended up on a list after
| someone grepped a bunch of data". I would think of as
| targeted as a more curated type list / process / and then
| the call was made to "target" someone.
|
| Otherwise, heck random scanning on the internet would be
| "targeted".
| Vicinity9635 wrote:
| You'd be surprised. A college student in an interesting field
| is an interesting target. Doesn't mean he's done anything
| nefarious or even shady.
|
| Industrial espionage is a thing.
| t-sauer wrote:
| Why would a college student be an interesting target simply
| for being a college student in an interesting field? If
| they work at an interesting company or something like that
| I would understand, but the knowledge that is accessible in
| colleges is not some super secret stuff or am I missing
| something?
| pulisse wrote:
| The conversation here is focussing on industrial
| espionage, but that's only one use case for this kind of
| active measure. An association with an opposition
| political party could easily get one on a surveillance
| list.
| sangnoir wrote:
| Yep, imagine an international postgrad student from an
| NSO client-state who criticizes their home country's
| leadership online, or is perceived to be a political
| activist is likely to be targeted by their own government
| for additional on-device monitoring via spyware. This
| could provide a springboard into monitoring other groups
| the victim may be a member of.
| threeseed wrote:
| We've had this problem quite a bit in Australia.
|
| Chinese students attending protests have had their
| families back home warned.
|
| Personally know friends this has happened to.
| bennyhill wrote:
| Colleges are basically outsourced green field R&D setup
| through professors as well as Patent departments to
| monetize their internal/grant research spend.. Sampling
| in a large company what you would happen upon is mundane
| additions to complex solutions you would be unlikely to
| want to copy if you weren't along for the earlier parts
| of the ride.
| cookiengineer wrote:
| They are gullible and they need the money.
|
| Student debts are a harsh reality a lot of people cannot
| escape from.
| josefresco wrote:
| "random college student"
|
| I think there's a misunderstanding on what constitutes a valid
| or ideal target for state sponsored (or "mercenary") attackers.
| Simply working at a research lab, industrial manufacturer,
| power station, tech company or knowing a certain professor can
| put you on a target list.
| IncreasePosts wrote:
| It could also be an accidental misidentification - maybe OP
| has the same name as someone they actually wanted to target,
| or their phone number or email address is very similar to
| someone they wanted to target.
|
| Or, it could be an intentional misidentification - maybe OP
| has a friend who was picked up by whatever east european
| security services, and provided OPs name as some kind of co-
| conspirator in something OP's friend was into.
| bee_rider wrote:
| Well dang I work in a research lab and I didn't get an email.
|
| I'm just going to assume my research is so interesting that
| they sent the real badasses after me, somebody that Apple
| can't catch. The truth is too ego-shattering.
| szundi wrote:
| For now
| bee_rider wrote:
| So may different ways to read that, haha
| quesera wrote:
| Look to your left. Look to your right.
|
| Both of those people are working for a foreign government.
|
| At least one of them does not know it.
|
| Trust no one.
| jayrot wrote:
| If this is sarcasm, I love it. If you're serious then I
| don't.
| bee_rider wrote:
| I think it must be, it is a re-spin of a common "toxic
| STEM professor" meme.
| simpaticoder wrote:
| This comment has an off-by-one error.
| layer8 wrote:
| You probably have been targeted with the more advanced
| spyware that Apple hasn't detected yet. ;)
| throwaway48476 wrote:
| NSO was targeting something like 40k people just in mexico.
| It's entirely possible that this was an accidental targeting
| because they have a similar name or email to a target.
| runjake wrote:
| My next question would be "What do your immediate relatives
| and friends do, or what are they involved with?"
| pjderouen wrote:
| It could be that they're related to a target. I've done a lot
| of hobby OSINT and sometimes finding a target is using off-
| center targeting to effectively triangulate or pivot.
| bennyhill wrote:
| A government that stoops to civil rights crimes but doesn't
| attach a good percentage of its fear to student movements is
| kind of oblivious to history as it pertains to its own
| miserable survival.
| AnotherGoodName wrote:
| Everyone's thinking academic secrets but have they engaged in
| activism in any way shape or form?
|
| Being able to take activists and discredit them is an amazing
| ability. I would not at all be surprised if the xz compression
| backdoor was an attempt by a certain government to gain the
| ability to discredit anyone that is against them in anyway.
| mrguyorama wrote:
| College students are a traditional target of oppressive or
| authoritarian regimes. Teaching young adults to view the
| world through different lenses and systems is an important
| part of most college programs, as is a significant amount of
| self-discovery, and both lend themselves very well to
| activism, especially since young adults are rarely so jaded
| as to feel like they "can't do anything about it"
| nextaccountic wrote:
| what activists are running sshd?
| internetter wrote:
| Having wrote an article on XZ, I was half expecting to have
| this text popup.
| alfalfasprout wrote:
| It's fairly common practice to test out exploits on victims
| that aren't the actual target first.
| pksebben wrote:
| Between the Metaverse, "mercenary spyware", AI war targeting, and
| death drones, I keep wondering who it is that read _Neuromancer_
| and thought; "What a rosy picture! How can we realize this
| stunning vision of a future-to-be?"
| jsheard wrote:
| _Sci-Fi Author: In my book I invented the Torment Nexus as a
| cautionary tale
|
| Tech Company: At long last, we have created the Torment Nexus
| from classic sci-fi novel Don't Create The Torment Nexus_
|
| https://twitter.com/AlexBlechman/status/1457842724128833538
| rchaud wrote:
| Same goes for certain types of lead characters in things like
| American Psycho, Fight Club, Mad Men and Wolf of Wall St.
| These are seen as aspirational instead of cautionary tales.
| unholythree wrote:
| I go to a restaurant where the owner has recently hung a
| sign reading "The World is Yours" as though Tony Montana
| from Scarface should be regarded a fount of wisdom.
| philistine wrote:
| If you want to deify Tony Montana, there is one quote
| that is the John 3:16 of his proselytizing, and _the
| world is yours_ is not that quote. I guess you can 't put
| it in a restaurant.
| FabHK wrote:
| And, famously, Michael Lewis's first book, "Liar's Poker":
|
| > Despite the book's quite unflattering depiction of Wall
| Street firms and many of the people who worked there, many
| younger readers were fascinated by the life depicted. Many
| read it as a "how-to manual" and asked the author for
| additional "secrets" that he might care to share.
|
| https://en.wikipedia.org/wiki/Liar%27s_Poker#Reception
| 2OEH8eoCRo0 wrote:
| There was a recent article in NYT about Grand Theft Auto
| and the author mentions that their friends became a little
| more racist after playing it as kids. My takeaway was that
| these forms of media aren't for children because they
| probably won't understand that it's satire. Then I realized
| that many adults don't understand that it's satire either.
|
| Edit: article in question:
| https://www.nytimes.com/2024/01/25/arts/grand-theft-auto-
| isl...
| astrange wrote:
| The tech company is right since this appears to be a
| reference to the Total Perspective Vortex from Hitchhiker's
| Guide, which notably didn't do anything bad when it was
| turned on.
| kristianbrigman wrote:
| Only for Zaphod and only because he was in a simulation
| where he was in fact the most important person :)
| tialaramex wrote:
| To be fair, _somebody_ will always decide what you wrote was
| a warning and they should fear it, even if you specifically
| intended a utopia, just as people insist on rooting for and
| even imitating the bad guys from stories because they
| misunderstood "cool" as "good".
|
| Example: Some people think San Junipero, the one positive
| Black Mirror episode with an actual Happily Ever After
| romantic ending is a dystopian vision.
|
| Some people think the Primer, the technological device at the
| heart of Diamond Age, is the problem, not the Neo-Victorian
| aristocrats like Elizabeth's parents with their pseudo-
| colonial control over part of China, not the huge
| corporations whose greed is tearing the world apart and their
| engineers like Fiona's father, nor the Cyberpunks left over
| from a previous era like Nell's father - no the problem is
| the machine.
|
| In the Tweet framing it's easy, it's named a Torment Nexus
| and the book is literally titled "Don't Create The Torment
| Nexus" but what about the Horseless Carriage? The Novel? The
| Television? Are we creating the Urban Sprawl, the Wasted
| Youth, are we helping to Manufacture Consent ? Or maybe these
| are Freedom and Art for the Masses ? Framing.
| pksebben wrote:
| Okay, yeah. But even from a pretty hardcore moral
| relativist POV...
|
| > "mercenary spyware", AI war targeting, and death drones
|
| Are not super easy to justify. Like, sure some people
| obviously think those ought to be a thing, but those people
| are dicks.
| reaperducer wrote:
| _I keep wondering who it is that read Neuromancer and thought;
| "What a rosy picture! How can we realize this stunning vision
| of a future-to-be?"_
|
| The same people who read _1984_ and thought the same thing.
|
| Or the people who failed to read _1984_ , so they didn't get
| the warnings.
| mrguyorama wrote:
| There will never be a shortage of people who read dystopia and
| think "That would be awful, I should oppress the entire world
| as it's rightful, righteous god king and make sure things go
| well (specifically how my extremely small perspective
| understands right and wrong)"
|
| We see on this very board a huge segment of people who believe
| "tech" for "tech's sake" is a good thing, or that any "tech" is
| inherently an advancement of society, and that advancement ===
| good
| 1970-01-01 wrote:
| Good way to get Pegasus devs to blink, but nothing more.
| t-sauer wrote:
| Maybe my thinking is a bit naive, but I would assume that the
| message signals that Apple found a new way to identify (and
| therefore maybe neutralize) Pegasus which is probably at least
| a medium annoyance to them.
| vinay_ys wrote:
| If you were the hacker operating a remote command and control
| for such a targeted attack, you would immediately know if
| Apple or some other mechanism silently blocked your exploit
| kill chain. This notification to users tells you nothing new.
| If something doesn't work, you move on to the next exploit
| available to you. It's not likely that they would shut shop
| and go away just because apple notified users. Only thing
| this does is Apple gets more users to turn on their
| protection mechanisms like lockdown mode which makes it more
| valuable to find vulnerabilities in that (as that is the new
| baseline now). And so goes the tale. It's a never ending
| escalatory game.
| sigspec wrote:
| Pegasus and NSO.
|
| (Edit: of course I'm flagged for this. Surprise surprise)
| freedomben wrote:
| I spend way too much time on HN, and having seen how often
| flags are abused or simply used too liberally, I think they are
| way too over powered. A lot of good discussion gets killed by
| flags right it of the gate. Sometimes it gets vouched and
| redeemed, but the vast majority of the time the damage is done
| and that comment or story languishes in obscurity.
| pvg wrote:
| The comment doesn't really say anything and the commenter is
| not saying they edited the comment to make it just non-
| substantive rather than non-substantive and inflammatory.
| freedomben wrote:
| Excellent point. Thank you!
|
| I would hope people aren't using flags for low-value
| comments, but you make a great point that it could have
| been edited to remove something that _was_ deserving of a
| flag.
| Kbelicius wrote:
| Saw it while it was flagged. There were two sentences.
| They removed the second one. Cant remember the exact
| wording, it was a short one, but it was basically saying:
| "Israel bad".
| freedomben wrote:
| Ah thanks, that does indeed sound flag-worthy
| pvg wrote:
| _aren 't using flags for low-value comments_
|
| They could, and if you ask me, they should. They gum up
| threads and often start meta discussions about exactly
| how low-value they are. Many are even explicitly listed
| in the guidelines - snark, tropes and memes, 'broke the
| back button', shallow putdowns, etc. Righteously
| flaggable, one and all.
| freedomben wrote:
| I agree regarding snark, and pretty much anything that
| criticizes the person rather than the ideas. But one
| person's tropes and memes are often somebody else's
| current belief/position, especially if they are part of
| today's lucky 10,000[1].
|
| What (in your opinion) is the purpose of the down-vote
| button?
|
| [1]: https://xkcd.com/1053/
| pvg wrote:
| _But one person 's tropes and memes are often somebody
| else's current belief/position_
|
| In a site with the ostensible goal of 'curious
| conversation', that's not really good enough - it's not
| the job of your potential interlocutors to figure out
| what sincere beliefs and positions hide behind the
| throwaway trope line. If you want to have a conversation,
| it's on you to try to converse. There are lots of other
| places where the trope line is fine - from the group chat
| with friends or colleagues to twitter. But those places
| work in different ways.
|
| _What (in your opinion) is the purpose of the down-vote
| button?_
|
| It's a way to say 'this comment is misranked'. There are
| lots of reasons to feel a comment is misranked -
| including simple disagreement.
| saagarjha wrote:
| You were probably flagged because your comments are
| consistently of low quality.
| Etheryte wrote:
| You're being downvoted because you made a three-word comment
| that adds nearly nothing to the discussion on a site that hopes
| to entice meaningful discourse. Trying to play the victim on
| top of that is just silly.
| t-sauer wrote:
| If someone is interested how the message actually looks like, a
| user on reddit posted it and a previous version from 2023
| (although it doesn't include everything):
| https://www.reddit.com/r/iphone/comments/1c10jai/i_have_rece...
| ryandrake wrote:
| It looks like the message encourages users to update "to the
| latest software version, iOS 16.6." I wonder if their message
| is different to users on devices which no longer can be updated
| beyond iOS 15, like iPhone 7, 7 Plus, SE and so on.
| t-sauer wrote:
| That's the message they got in summer 2023 when iOS 16.6 was
| the most recent one.
| 1oooqooq wrote:
| why do you think devices out of support date got any message
| at all?
| dylan604 wrote:
| to encourage them to upgrade?
| jayrot wrote:
| "Just buy your mom an iPhone"
| kmeisthax wrote:
| Note that "mercenary spyware" is the politically correct term
| Apple chose for "state-sponsored attacker" because Modi
| complained that Apple was exposing them for using illegal NSO
| Group spyware.
| loceng wrote:
| The power of language, where "state-sponsored" too accurately
| directs the population's attention to their government but
| where mercenary is vague and non-aiming - where a simple change
| in language is enough to quell that ire and attention of
| authoritarians; or should I say authoritarian behaviour to not
| out them directly as authoritarians?
| miohtama wrote:
| Apple needs to work with authoritarian governments, or nobody
| is going to build our iPhones.
|
| I would guess it's obvious for everyone who gets the message
| that they are political targets. However it is also important
| to call out abuse of power, like is in the case of India,
| Spain, Poland, where the governing party is spying the
| opposition in order to find ways to get rid of them.
| nehal3m wrote:
| > Apple needs to work with authoritarian governments, or
| nobody is going to build our iPhones.
|
| Not only is this objectively true, I also have an iPhone.
| It's not news to me but it still makes me do a double take
| every time.
|
| Maybe I should try oscillating to Linux and FairPhone
| again...
| tombert wrote:
| I think as of right now, it's nearly impossible to buy a
| guilt-free computer of any kind. It's a spectrum,
| obviously, but I think if you were to audit every
| component of any computer you buy from basically any
| company, you'd eventually get something kind of
| depressing.
|
| A relative of mine in the defense industry has told me
| that, generally speaking, the DoD requires that none of
| the components in missiles have parts manufactured by
| potential adversaries, which makes enough sense but is
| also _extremely_ difficult now.
| Dalewyn wrote:
| When I have to point to something when I say I doubt
| manufacturing will ever come back to the west, I point to
| the fact we can't manufacture the simplest of things
| ourselves anymore.
|
| Thanks Delta Airlines, whose metal nametags are literally
| just cut sheets of aluminum with some paint on them and
| are still Made in China. Someone seriously wants to tell
| me we can manufacture bleeding edge tech when we can't
| even cut and paint our own fucking sheet metal?
| reaperducer wrote:
| Very often it's not about "can't," and more about
| "cheaper."
|
| There's plenty of places to get metal nametags made in
| the U.S.A. But Delta chose to go the cheapest route to
| save a few pennies.
| kwhitefoot wrote:
| That's just weird. the US is definitely a lower cost
| country than Norway yet my youngest son works for a
| company here in Norway that does quite a lot of business
| making metal and plastic tags of various kinds with text
| engraved, printed, or laser cut.
|
| As far as I know most of the machinery is made in Europe,
| mostly Germany, again generally higher cost than the US.
| So I find it difficult to believe that it can't be done
| in the US.
| jfim wrote:
| My guess is that it's likely cultural.
|
| Cost cutting seems to be done much more deeply in the US
| than in Europe. For example, economy class on all North
| American airlines is rather miserable, while most
| European non budget carriers have a better experience in
| economy.
| tombert wrote:
| I feel like, for better or worse, the US is sort of
| obsessed with figuring out how to drive costs down as low
| as possible, at least historically. So much early
| American industry was based around making mass-production
| more and more efficient, e.g. early assembly lines for
| the Ford company being an obvious case.
|
| In a lot of ways, this is obviously good, most people
| benefit from lower prices, more value being created, etc,
| but I think it's also made it so that cheap-but-
| ethically-dubious manufacturing from other countries
| becomes increasingly appealing, especially since it's
| abstracted enough from the end-user to where they can
| comfortably say "out of site out of mind".
|
| I'm no better; I know very well the conditions of some
| other countries, and think they're very bad. I also think
| it's bad that America fought a whole war to end slavery,
| and instead we just launder it through other countries.
| Still, despite me thinking all of this, I still generally
| shop for reasonable prices instead of trying to focus on
| ethical stuff.
| roody15 wrote:
| Can confirm just got back from Barcelona on an Iberia
| flight. Evonomy on this flight was hands down better than
| any flight I have taken in the US. Food, service, even
| baggage policy was just simply a better experience.
| Honestly my mind was blown / food multiple meals included
| in price of economy seat. Just less nickel and diming and
| overall better experience,
| jayrot wrote:
| The metal nametags is a very poor example of the point
| being attempted since I would venture a guess that there
| are 1000s of companies or shops in the US that can make
| metal nametags.
| geodel wrote:
| Well you can also try committing to new year resolutions
| and so many other things. But companies have bet on
| consumers value convenience over everything else. And so
| far they've been right in almost every instance.
| mc32 wrote:
| There are definitely more countries where Intelligence
| Services spy on not only the opposition but members of
| congress. The FBI admitted to spying on members of the US
| senate as well as an adversarial candidate to the US
| presidency.
| loceng wrote:
| As a bridge perhaps, and not all authoritarians are equal -
| of course, so being rational is fine - aligning with a less
| worse, less captured society is a reasonable stepping
| stone; and a maneuver can be to pit one tyrant against
| another, where India-China relations aren't good - however
| that could be useful to both tyrants towards manufacturing
| consent to send all of their young military aged men - who
| would be the strongest, most capable to go up against the
| tyrants - instead sending them to a meat grinder of a
| potential WW3 that the military industrial complex is also
| likely drooling over in their fascist wet dreams; the two
| sides of the fascist coin being authoritarian politicians
| and industrial complexes.
|
| However the longer we allow revenues to be generated in
| relationships with authoritarian economies-states, the more
| we're empowering them.
|
| That in a way is also a carrot - at least until a certain
| point of no return - where in America there's an effort to
| collapse the USD, and they might succeed - and then where
| BRICS will have buying power to influence the rest of the
| world to align with bad actors in each countries who aren't
| yet toeing the tyrannical line - and help them navigate
| towards a totalitarian state.
|
| Knowing who is your ally in each nation is important, and
| keeping communication lines open is the bare minimum - and
| tyrant wannabes in different nations, except in places like
| China where they already are locked down in their systems,
| still need to creep forward in as incognito method as
| possible until they've captured all of the various
| positions necessary before they can recruit and grow their
| Gestapo.
|
| Most people are unaware that Canada is about to be captured
| by fascists, and where laws and mandates have already
| passed that could allow those politicians to pretend they
| won the next election (multiple people in our intelligence
| agency CSIS already whistleblowing that China, the CCP is
| confirmed to have interfered in at least our last 2
| elections which kept Trudeau-NDP in power) - and then pump
| that out and control the narratives in our state-funded
| media channels like CBC; mainstream news - including the
| biggest dissident media company called Rebel News - aren't
| shown on Facebook, for vector example, another vector being
| an arguably manufactured false flag 3-day outage of Rogers
| Telecommunications - where this fascist government
| immediately afterward mandated _all_ telecommunications
| companies cross-integrate their services "to act as a
| backup" for other companies - which conveniently creates-
| allows for a centralized system for monitoring, etc.
| FpUser wrote:
| >"where this fascist government..."
|
| I am not sure whether this counts as the success or the
| failure of the meds
| everforward wrote:
| Best to refer to them as the "Ministry of Truth". We've
| always been at war with Eurasia.
|
| I wonder if someone has made a "De-bullshitify English"
| Chrome add on to replace phrases like "mercenary hacker" and
| "officer-involved shooting" with more semantically correct
| phrases.
| FpUser wrote:
| So you're saying that non authoritarian governments do not
| sponsor or do themselves the spying / attacks?
| bparsons wrote:
| Interesting. By reading that term, I thought the exact
| opposite. Mercenary sounds decidedly like a non-state actor.
| danudey wrote:
| That was my first thought as well, though on further
| consideration I assumed that it was some kind of paid/for-
| profit criminal organization performing these attacks on
| behalf of a nation-state.
| jsheard wrote:
| The wording is _technically_ correct since these attacks are
| often facilitated by private for-profit companies. It just
| glosses over who is paying them (state actors).
| sofixa wrote:
| Why? Mercenaries are most often hired by state actors.
| 2OEH8eoCRo0 wrote:
| Interesting use of language on your part as well- what makes
| the NSO Group spyware _illegal_?
| vngzs wrote:
| I would describe this spyware's "illegal" status as
| _colloquially_ true - despite the lack of a comprehensive,
| international, enforceable legal framework - at least in the
| USA [0]:
|
| > As part of this effort, the End-User Review Committee of
| the BIS decided to add four foreign entities, among them two
| Israeli companies, NSO Group and Candiru, to the Entity List.
| The U.S. Export Administration Regulations ('EAR') impose
| additional license requirements for exports to listed
| entities, and limits the exceptions for exports, reexports,
| and transfers to such entities.
|
| But they continue:
|
| > The existing international and national frameworks
| regulating the export of sensitive spyware technologies lack
| the teeth necessary to deal with contemporary issues relating
| to the abuse of these technologies and the growing need for
| their enhanced supervision.
|
| [0]: https://www.law.georgetown.edu/ctbl/blog/managing-risky-
| busi...
| ajross wrote:
| The DMCA, in the US. Other statutes in other markets. Hacking
| computers is pretty prima facie criminal everywhere. It's
| true that there are inter-jurisdictional edge cases (cracking
| an iPhone in India via an attack from Israel probably isn't
| illegal in the USA,etc...) which allows NSO to operate more
| freely than we'd like. But no one seriously claims this is
| legal activity anywhere in particular, just that we can't
| catch them.
|
| Basically the distinction is one of law enforcement
| authority, not legality.
| kube-system wrote:
| The CFAA is the broadest and most relevant US statute
| regarding computer hacking. But yes, international computer
| hackers typically operate outside of the jurisdictional
| reach of their targets.
| PeterisP wrote:
| The point I'm hearing in the parent post is more like that
| many of the state actors using such attacks against
| domestic targets actually may be legally allowed to do so,
| if they have passed laws which permit their own security
| services to use such software on their residents' phones.
|
| Even in USA that likely could be legal with an appropriate
| court warrant, and many other countries have more
| permissive constitutions.
| jayrot wrote:
| > Even in USA that likely could be legal with an
| appropriate court warrant
|
| Can you expand upon this? I'm not particularly familiar
| but it doesn't seem right. Obviously LEO agencies are
| allowed to subpoena private information, but can they
| legally use exploits with a warrant? Are there recorded
| examples of this?
|
| [Based on your reference to warrants, I guess I'm
| excluding the NSA or other supposed state-level spy
| agencies that supposedly secretively deploy such tactics]
| PeterisP wrote:
| I'm not a lawyer and the proper answer is likely state-
| dependent, but why not?
|
| It's well established that with an appropriate warrant,
| LEO have always been able to come into your house without
| telling you and add hidden surveillance bugs to listen on
| your communications; they have always been allowed to
| physically modify or replace your phone (e.g. physical
| phone wiretaps a century ago); Electronic Communications
| Privacy Act reasserts that this applies also to
| electronic surveillance and digital communications; so
| (as a non-expert) I don't really see why that wouldn't
| apply to smartphone exploits as well. We do see exploits
| being applied to devices in LEO possession (e.g.
| https://www.theverge.com/2021/4/14/22383957/fbi-san-
| bernadin... for one random example) to recover evidence.
|
| The main restriction is the constitutional limits of 4th
| amendment which requires specific warrants for each case
| - which is a significant practical obstacle, so the
| circumstances in which warrantless wiretapping is
| permitted (e.g. by PATRIOT act) is a contentious issue;
| however, it's not relevant if a proper warrant is
| obtained.
| nativeit wrote:
| Aren't its primary methods of deployment and utilization
| widely considered to violate domestic and international laws
| for unauthorized access to targets' devices and/or data? I
| might be mistaken, I don't know for sure how common such
| statutes are outside of the US, but I'm pretty sure it's
| illegal in the United States, even for law enforcement (the
| likely unconstitutional extrajudicial activities of some
| unnamed alphabet agencies notwithstanding). If nothing else,
| there are documented cases where it's been used to spy on
| journalists and activists in Saudi Arabia, including the
| widow of the assassinated American journalist Jamal
| Khashoggi.
| 1oooqooq wrote:
| ironically, DMCA does.
| sneak wrote:
| Technically speaking, Apple placing iCloud services for users
| in China on CCP-controlled hardware (as required for their
| continued operation in China) is also a "state-sponsored
| attack".
|
| Not that they have a choice, given that their most profitable
| product lines are all basically 95%+ manufactured in China by
| Chinese nationals working for Chinese companies.
| bluish29 wrote:
| So apple/companies complying to US/EU laws is state-sponored
| attacks and not following local law?
| sneak wrote:
| https://www.reuters.com/article/idUSKBN1ZK1CO/
|
| Yes. We're well past "following local law" and into "active
| cooperation" territory. Apple by nature can't have
| adversarial relationships with the US or Chinese
| governments or they'd get squashed like a bug.
|
| One might even argue they have a fiduciary duty to not pick
| fights with city hall.
| saagarjha wrote:
| Mercenary spyware isn't a new term. It's inclusive of hacking-
| for-hire groups that are not state entities or funded by
| countries.
| geodel wrote:
| Well "mercenary" do sound weasel term but calling it "state
| sponsored" with releasing details for others to research and
| prove/disprove isn't doing much apart from agitating supposed
| states.
|
| Any government has to take Apple's word seriously it is not
| like an individual or small time company claiming that
| government illegally tapped their phones or hacked computer and
| government doesn't even bother to respond because its not worth
| their time.
| vinay_ys wrote:
| Well, supreme court ordered panel investigation into this
| spyware scandal didn't find any evidence of actual spyware. So
| there's that. Also, if government wants to investigate someone,
| they have so many powerful ways to do that (and they actually
| do that). So, it's not clear to me what need they have to go
| spy on people via NSO tools. And surely, if they were building
| large datacenters to do massive spying like some TLAs do in
| 5eyes countries, we would know about it. So, no, this isn't the
| local government but a foreign government (which doesn't have
| detention powers in another country) that's likely to use
| remote hacking methods to coerce people in another country. We
| saw this with leaked data dumps from recent hacks by the not so
| friendly neighbors on India's many citizen databases (like
| retirement provident fund systems etc).
| mynameisvlad wrote:
| I'm not sure exactly what part of it you're trying to refute
| since your comment is kind of all over the place, but GP
| comment is correct.
|
| The reason it's called that is _literally_ because of the
| Indian government.
|
| > Apple's removal of the term "state-sponsored" from its
| description of threat notifications comes after it repeatedly
| faced pressure from the Indian government on linking such
| breaches to state actors, said a source with direct
| knowledge.
|
| https://www.reuters.com/technology/cybersecurity/apple-
| warns...
| resource_waste wrote:
| I suppose this is an alternative to security... Real 'Scroll to
| the bottom of the terms and click accept" vibes..
|
| Is there any company as big as Apple with so many major security
| issues?
| hiatus wrote:
| > Is there any company as big as Apple with so many major
| security issues?
|
| To be fair, does any Android device alert you to a compromise
| like this?
| resource_waste wrote:
| Android is more secure, especially in recent history. You can
| even see it in 0 day bounties.
|
| Don't pay attention to Samsung though, that company is
| probably the Apple equivalent of android.
| saagarjha wrote:
| I don't see how the bounties back this up?
| resource_waste wrote:
| Supply and demand.
| rootusrootus wrote:
| The bounties look like they have fairly comparable
| distribution, and just knowing the dollar figures doesn't
| really tell much about either supply or demand. Your
| inference requires that knowledge.
| saagarjha wrote:
| Neither is correlated to how secure something is?
| ziddoap wrote:
| > _Android is more secure, especially in recent history.
| You can even see it in 0 day bounties._
|
| This needs citations, and more than just referencing 0-day
| bounties.
|
| 0-day bounties are an incredibly weak signal in regards to
| security posture.
| hu3 wrote:
| Pricing, and for more than zero days here:
|
| https://zerodium.com/program.html
| ziddoap wrote:
| Pricing of 0-days has very little correlation with the
| security of something, if any correlation.
|
| I'm not sure what the "and for more" you are referencing.
| The site lists prices, an FAQ, and events. None of that
| supports the argument made by parent comment.
| hiatus wrote:
| The number of public bounties for a system seems orthogonal
| to the number of actual vulnerabilities in a system. Of
| course, vulnerabilities exist independent of the existence
| of a bounty for them.
| Lendal wrote:
| Pet peeve: This story alternates between "nations" and
| "countries" as if they were synonyms. A nation is a group of
| people sharing cultural, ethnic, and historical ties. There are
| many more nations than there are countries, especially within the
| US. A country has a political boundary, a flag and an anthem.
| It's one thing to use a word in the wrong way, because maybe you
| don't know the other word exists, and that's okay. But it's
| really annoying to hear both words being used in the same story
| but alternating them, without any explanation as to why. Is this
| an AI generated story?
| vineyardmike wrote:
| With all due respect, I've simply never heard anyone use these
| terms "correctly". I live in an English-speaking _country_ ,
| and the closest thing I've seen to this is university signs
| that say things like "this is tiger nation" or something
| similar. But I've also seen people use "country" to express
| that too.
|
| I assume they're alternating not because it's AI written but
| because the author considered them synonymous and wanted it to
| sound less repetitive.
|
| These words are just so overloaded that I think this is a lost
| battle. People hike in the back-country, you can live in the
| city or the country. And frankly if you used "nation" to
| represent a cultural group of people in almost any context I
| think people would not understand or worse - assume you were
| stoking some racial angst or land-dispute.
| dragonwriter wrote:
| Pet peeve: Misguided pedantry
|
| Both "country" and "nation" have a wide variety of definitions,
| and several of them overlap.
|
| The definition you give for "nation" is a particular technical
| one used in certain contexts, but the word used for the way you
| define "country" in the context where that kind of technical
| definition is being used for "nation" is "state", _not_
| "country". (And even "state" may be used with additional
| qualifiers to disambiguate the exact sense when used for that,
| because it is a heavily-overloaded term.)
| gamepsys wrote:
| Pet peeve: Not enough pedantry with language use in
| publications.
|
| Nation and country are not interchangeable. Words have
| meaning. Good journalist choose their words deliberately and
| have a deeper understand of language than the average person.
| mynameisvlad wrote:
| Sure, words certainly have meaning, but that meaning is
| constantly evolving and even differs from person to person.
|
| For the common person and the common definition and use of
| the two words, they are very much interchangeable. The
| common person might not even notice the change in words
| because the generally used definitions of both are common
| enough.
| hnfong wrote:
| I'm not sure this is true
|
| > There are many more nations than there are countries,
| especially within the US.
|
| Each US state has "a political boundary, a flag and an anthem".
| So that's 50 of them. How many nations are there in the US?
| dragonwriter wrote:
| It's "true" if you, as the GP seems to intend to, define
| "country" to be "state that is sovereign in the sense of a
| principal subject of international law".
|
| This is, to say the least, _not_ the only definition of a
| "country" (and is also among the definitions of "nation".)
| hnfong wrote:
| "Country" definitely does not mean "sovereign states" in
| English.
|
| And I do mean "English" because in the UK, England,
| Scotland and Wales are officially considered "countries" by
| the UK government...
| tialaramex wrote:
| If you care, you definitely need to specify what you
| mean, e.g. the British gameshow "Pointless" has a catch
| phrase:
|
| "And by 'country' we mean a sovereign state that is a
| member of the UN in its own right"
|
| So if you're asked for "country names ending in land" on
| the show they'll invariably remind you of the definition
| and you ought to then know Scotland is plain wrong,
| whereas Ireland is a reasonable although obvious (so not
| "Pointless") attempt to answer.
| hiatus wrote:
| > There are many more nations than there are countries,
| especially within the US.
|
| I took this to include things like first nations and
| reservations which are themselves "sovereign".
| drcongo wrote:
| It's TechCrunch, pretty much the bottom of the barrel.
| samatman wrote:
| Hence the name of the major intercountryal governing body, the
| United Countries.
| _the_inflator wrote:
| "Mercenary spyware attacks, such as those using Pegasus from the
| NSO Group, are exceptionally rare and vastly more sophisticated
| than regular cybercriminal activity or consumer malware"
|
| So, maybe even provoking an Apple warning to those targets could
| also be part of a sophisticated operation.
|
| These targets react or have to react in a certain way. Instigate
| to lure people out of hiding and entice them to react, even if
| only to observe their behavior.
|
| What do these targeted people do then? Switching phones?
| Accessing certain digital services, warning their network via
| conventional lines?
|
| From an observer's perspective, this is pretty thrilling.
| resource_waste wrote:
| >What do these targeted people do then? Switching phones?
|
| When you can get a $130 Motorola that has better security...
| Yes.
|
| Since the 2018 iphone crack by the FBI, I am shocked anyone
| uses their iphone for secrets.
| dieortin wrote:
| I doubt a 6 year old phone with outdated OS will be more
| secure than an up to date iPhone
| resource_waste wrote:
| Why are you comparing 6 year old phones?
| FabHK wrote:
| The 2018 crack that one can foil by picking a decent
| passphrase instead of a 4-digit number?
| itscodingtime wrote:
| Is there a modern smartphone or cellphone the fbi, cia, nsa
| any nation state can not hack ?
|
| I can guarantee you the fbi can also hack a $130 motorolla.
| dylan604 wrote:
| Nothing is un-hackable if you know how to properly use a $5
| wrench.
| lcnPylGDnU4H9OF wrote:
| If it required the wrench, it was at least un-hackable
| enough. Part of the reason for remote hacking is to avoid
| alerting the hacked party to what's going on, which is
| obviously failed by the time you're hitting them with a
| wrench.
| dylan604 wrote:
| At the end of the day, you want the data. Sure, it's much
| more convenient to get the data from a device, but if you
| had to get it somewhere else, the data is obtainable.
| neilv wrote:
| Is this spyware possible due to engineering flaws in Apple
| products?
| wepple wrote:
| Technically, yes?
|
| But there has never ever been non-trivial software that has
| been completely free of such defects.
|
| In other words (in my opinion), iOS is probably better than
| most other platforms against this type of attack.
| amelius wrote:
| "In other words" doesn't make sense here.
| fckgw wrote:
| I guess? Every platform has bugs and zero days.
| Maximus9000 wrote:
| Check out Darknet diaries podcast on the NSO group. NSO group
| likely pays over $100k USD to hackers that have a good zero day
| for iphone.
|
| https://darknetdiaries.com/episode/100/
| Etheryte wrote:
| Pretty much every computer virus, worm, etc ever has been due
| to engineering flaws in software products. All software ever
| made has bugs in it, including whatever you're using right now.
| FunkyFunTimes wrote:
| Here's hoping that this isn't any sort of psychological warfare
| tactic which Apple has been pressurised to sow into making groups
| of people assume blame at certain groups for the purpose of
| swaying elections in certain ways.
|
| Because God knows how many times Five Eyes have tampered with
| elections across the Middle East in the past 50 years.
|
| I wouldn't be naive to believe everything totally and just
| putting another perspective out there which may be worth
| considering (even for just a few seconds).
| ein0p wrote:
| I'd think this extends to all countries actually, and find it
| curious that only 92 are being notified.
| dylan604 wrote:
| Could this be illegal in some countries to notify users like
| this? I could see how revealing to some one they were the
| subject of a gov't targeting would be illegal in some
| countries.
| spxneo wrote:
| It's probably far worse with Android users that Google is not
| disclosing.
|
| I'm seriously considering changing to Apple after this. Not that
| its secure but that they are willing to go to this length to
| communicate it.
| ipaddr wrote:
| Are you a journalist or high profile target? If not, this
| notification isn't for the average person.
| gxs wrote:
| Why is it hard to see that while he may not be a target for
| any sort of state sponsored attack, it's a bellwether of
| apples stance on security.
|
| I really, really don't think he meant he was switching to
| Apple because he's a CIA spy stationed in Moscow.
| spxneo wrote:
| > CIA spy stationed in Moscow.
|
| Chiort poberi!
| scrollaway wrote:
| Right it's unthinkable you'd find high profile targets on
| hacker news.
|
| All you'll find here are founders of highly funded startups
| and software developers at boring companies such as Google,
| Microsoft and Apple.
|
| No point getting into these people's phones if you're a state
| actor for sure /shrug
| consumer451 wrote:
| You don't need to be a journalist. I think many tech workers
| are oblivious to how juicy and obvious a target we are. Most
| of us publish a detailed target on our own back via LinkedIn,
| or our company's website About Us and Clients pages.
|
| Long ago, I co-founded a tiny startup. We had some high
| profile clients. I was dumb enough to put those clients on
| our site. I also used to be dumb enough to have a public
| social media profile, in my name.
|
| I was already somewhat security aware, but one day I almost
| fell for a spear phishing email. Someone created a gmail
| account 1 character different from my gf's gmail. They sent
| me a well worded, but simple email along the lines of "Hey
| baby, check this out!" and URL shortened link. She happened
| to be next to me, and I said to her "Hey, what's this?"
| "What? I didn't send that!" I then opened it in a VM and saw
| that it resolved to something.ru.
|
| It was a combo of identifying the juicy client of ours,
| seeing my name as co-founder, finding me on FB, finding my gf
| in my profile, getting her email, etc.
|
| I then got to learn fun new terms like threat modeling.
|
| Is it possible that someone might think that you have ssh
| access to a server on an interesting network? You are a
| target.
| ziddoap wrote:
| Or if you are adjacent to a high profile target, working in
| the same company as a high profile target, working at a
| company that is contracted to a high profile target, friend
| of a friend of a high profile target.... And so on.
|
| Sure, the average person probably doesn't need this (although
| as another comment pointed out, HN isn't quite representative
| of the average)... But the net is a hell of a lot wider than
| just journalists.
| standardUser wrote:
| Years ago I worked for a non-profit in an office building
| in San Francisco. My office neighbors were Google, the US
| Secret Service and, I shit you not, China Daily (a major
| news outlet run by the Chinese Communist party).
| user_7832 wrote:
| > I'm seriously considering changing to Apple after this.
|
| Ironically that may be worse for you. iMessage is probably a
| critical step in 60% (or more) of these exploits, and the
| various unicode/pdf etc rendering engines are responsible in
| many exploits. Android's open-source nature likely means that a
| lot of these things are found by security researchers first.
| Don't forget that zerodium still pays more for an android 0-day
| than an iOS 0-day.
|
| Plus, the huge variability between Samsung/Google/Moto/Huawei
| etc makes it triply hard for a single exploit to be successful.
| spxneo wrote:
| you changed my mind successfully thank you
|
| but what about dumb phones from late 2000s like my Samsung
| Alias 2? what kind of sick bastard would make zero days for
| this
| 1oooqooq wrote:
| for those you don't need 0days. you can use 360*20days just
| fine. it's like there was any firmware update for them
| ever.
| consumer451 wrote:
| I can never pass up an opportunity to mention Justine
| Haupt's Rotary Un-Smartphone.
|
| Buy: https://skysedge.com/telecom/RUSP/index.html
|
| Story: https://www.justine-
| haupt.com/rotarycellphoneinfo/index.html
|
| Edit: wait, was she not able to get it certified? Does it
| really say it won't connect to a US network?
|
| Oh,
|
| > This is a regulatory approval issue which will take time
| to resolve.
|
| Hmm, maybe that's just a disclaimer as the chart shows some
| US SIM carrier compatibility.
|
| https://skysedge.com/telecom/RUSP/images/LARANetworkCerts.p
| n...
| spxneo wrote:
| weird why wouldn't it work with US networks...but works
| in other countries?
|
| not sure about the rotary thing that looks cool tho
| user_7832 wrote:
| Happy to be able to help!
|
| If we're talking about having the microphone tapped etc, I
| don't think anyone would still be developing 0-days for
| such old phones. If you want to be safer (assuming fear of
| old software having unpatched vulnerabilities) Nokia
| launched a dumb phone not too long ago.
|
| However... GSM networks and cell tower level tracking is
| much harder/almost impossible to escape short of throwing
| away your phone. SMSes can be hijacked, hostile agents can
| force downgrade the connection to 3G/2g to break encryption
| (iirc, please correct me if wrong), and your location is
| generally known to your service provider and Uncle Sam.
|
| Plus... the SIM card is its own mini computer, and lots of
| the firmware between that and the telephony modules is
| proprietary and closed source. If you're familiar with
| intel ME you have an idea of what I'm talking about.
|
| Honestly, if you're not a journalist going after big names,
| or a top CEO/president etc you likely don't need to worry
| about any of these. But if you are, or just want to be
| privacy conscious, your best bet is to never use cell
| towers and only use Wi-Fi/internet from public or
| untraceable places; along with Wi-Fi calling for telephony.
| Btw I'm not sure but I think Google fi and a few
| carriers/MVNOs offer virtual numbers, which can be a good
| first step for privacy.
| blegr wrote:
| > Don't forget that zerodium still pays more for an android
| 0-day than an iOS 0-day.
|
| A random Internet search gives iOS 30% market share to
| Android's 70% [1], which could also explain the higher price.
|
| [1] https://www.statista.com/statistics/272698/global-market-
| sha...
| user_7832 wrote:
| You raise a good point, however iirc the values of the 2
| oses were the same for a long time in the past.
| onedognight wrote:
| Apple specifically acknowledges this and has Lockdown Mode to
| address it. If you care about security you should enable it.
| Of course you'll not be able to watch YouTube videos, but
| you'll be safer.
| cute_boi wrote:
| whats the point of carrying phone that doesn't even play
| youtube videos? If security is so important then they
| should probably carry nokia style 2000's phone where there
| is no chance of malaware?
| joe_guy wrote:
| I do not believe the android Messages application is open
| source. I believe AOSP contains something very barebones. It
| has been a lot of years, am I incorrect?
| realusername wrote:
| The big difference here is the Message app on Android is
| just a normal app whereas imessage is bundled deep in the
| OS with tons of private apis
| spxneo wrote:
| that is so bizarre that something so essential requires
| deep integration with the OS, of course that is going to
| open a can of worms.
| saagarjha wrote:
| I don't understand why people keep bringing this up when
| it has no functional relevance to how secure it is
| user_7832 wrote:
| I believe it is relevant, at least till recently Apple
| developed a "blastdoor" to keep iMessage safer against
| such attacks. While other apps have been used in attacks
| (eg WhatsApp/Jeff Bezos iirc) iMessage seems to have more
| permissions than an average user app.
| jwells89 wrote:
| > Plus, the huge variability between
| Samsung/Google/Moto/Huawei etc makes it triply hard for a
| single exploit to be successful.
|
| That variability is a double-edged sword. Manufacturer-added
| Android bundleware is notorious for being shoddily built and
| could easily represent added points of ingress.
|
| Which is why I wish it were practical to replace OEM Android
| versions with GrapheneOS/CalyxOS or similar on the latest
| devices, similar to how a cutting edge PC can run one's
| choice of Linux. As long as more secure or at least more
| standardized Android distributions can only run on devices
| with some age on them, their popularity will be limited even
| among the technically inclined.
| alwayslikethis wrote:
| GrapheneOS and I think CalyxOS runs just fine on the latest
| Pixel devices. From what I see it is quite up to date most
| of the times.
| resource_waste wrote:
| Wait... Apple has the worst security record of any of the FAANG
| companies and you are switching to them because they admitted a
| security issue after the fact?
|
| What?
|
| Is this just regular Apple fanboy-ism?
| spxneo wrote:
| i changed my mind after somebody reminded me Android is more
| secure and harder to hack due to diversity in hardware
| ethbr1 wrote:
| Reading between the lines, one thing that I expect Apple has
| but may not be discussing -- root-cause replayability post-
| infection, across all Apple devices.
|
| I.e. infection is eventually discovered, Apple isolates the
| vulnerability's entry point, then Apple has some ability to re-
| scan all devices to detect which may have also had the attack
| targeted against them
|
| Hashing some data that can serve as a fingerprint makes sense
| from a herd standpoint (hell, even something as simple as call
| stack after iMessage received)
| fishywang wrote:
| >It's probably far worse with Android users that Google is not
| disclosing.
|
| [citation needed]
| aembleton wrote:
| https://dictionary.cambridge.org/dictionary/english/probably
| Animats wrote:
| The message from Apple is so vague that it's useless. It just
| says to be afraid. There's no advice on what action to take.
| filenox wrote:
| That's not true, in the message they refer you to a web page
| with more details: About Apple threat notifications and
| protecting against mercenary spyware
| -https://support.apple.com/en-in/102174
| Vicinity9635 wrote:
| It tells you to update your phone and turn on lockdown mode.
| swinglock wrote:
| The article omitted it, but the message says to update iOS to
| the latest software and enable its lockdown mode.
| Animats wrote:
| Right. That's a "turn it off and turn it on again" tech
| support answer.
| jayrot wrote:
| Hardly. Keeping your apps and operating system updated is
| one of the more reliable prophylaxis against
| vulnerabilities.
|
| Unless I'm misunderstanding "turn it off and on again"
| suggest a kind of pointless, "just start over and try
| again" kind of suggestion, no?
| wolverine876 wrote:
| I disagree: I'd expect they would have discovered the
| exploit and delivered and update to patch it, and lock down
| mode is not standard usage by normal users.
| mardifoufs wrote:
| How can Pegasus and NSO still be allowed to exist? I know they
| are an Israeli corporation, but even then has there been action
| against them from the Israeli government? This is basically rogue
| state behavior
| r00fus wrote:
| Have you seen how the IDF and Mossad act? They're a full-on
| rogue state that happens to have full US governmental cover.
|
| Helps to understand how the modern state of Israel came into
| existence to begin with.
| EasyMark wrote:
| Yeah I was a lukewarm Israeli supporter until last week until
| they tried to stir up a regional war by attacking an
| "embassy" in Syria. Now I say US withdraws all support and
| weapons until they quit trying to foment more chaos and drag
| us into a war with Iran. They really need to kick Netanyahu
| to the curb and get some sane leadership back in their
| government before the US provides full support again.
| r00fus wrote:
| Yeah the issue with "Netanyahu is the problem" is that most
| of the Knesset is full of even worse folks. And the
| Israelis who elect them.
|
| The country is drunk with US money and arms and hasn't had
| to really consider rational approaches to anything since
| big daddy US always funds them regardless of their actions.
___________________________________________________________________
(page generated 2024-04-11 23:00 UTC)